A Valve that supports a "single sign on" user experience,
where the security identity of a user who successfully authenticates to one
web application is propogated to other web applications in the same
security domain. For successful use, the following requirements must
be met:

This Valve must be configured on the Container that represents a
virtual host (typically an implementation of Host).

The Realm that contains the shared user and role
information must be configured on the same Container (or a higher
one), and not overridden at the web application level.

The web applications themselves must use one of the standard
Authenticators found in the
org.apache.catalina.authenticator package.

Version:

$Id: SingleSignOn.java 939523 2010-04-30 00:28:42Z kkolinko $

Author:

Craig R. McClanahan

Field Summary

protected java.util.Map

cache
The cache of SingleSignOnEntry instances for authenticated Principals,
keyed by the cookie value that is used to select them.

getRequireReauthentication()
Gets whether each request needs to be reauthenticated (by an
Authenticator downstream in the pipeline) to the security
Realm, or if this Valve can itself bind security info
to the request based on the presence of a valid SSO entry without
rechecking with the Realm

lookup(java.lang.String ssoId)
Look up and return the cached SingleSignOn entry associated with this
sso id value, if there is one; otherwise return null.

protected boolean

reauthenticate(java.lang.String ssoId,
Realm realm,
Request request)
Attempts reauthentication to the given Realm using
the credentials associated with the single sign-on session
identified by argument ssoId.

protected void

register(java.lang.String ssoId,
java.security.Principal principal,
java.lang.String authType,
java.lang.String username,
java.lang.String password)
Register the specified Principal as being associated with the specified
value for the single sign on identifier.

setCookieDomain(java.lang.String cookieDomain)
Sets the domain to be used for sso cookies.

void

setRequireReauthentication(boolean required)
Sets whether each request needs to be reauthenticated (by an
Authenticator downstream in the pipeline) to the security
Realm, or if this Valve can itself bind security info
to the request, based on the presence of a valid SSO entry, without
rechecking with the Realm

void

start()
Prepare for the beginning of active use of the public methods of this
component.

void

stop()
Gracefully terminate the active use of the public methods of this
component.

setCookieDomain

getRequireReauthentication

public boolean getRequireReauthentication()

Gets whether each request needs to be reauthenticated (by an
Authenticator downstream in the pipeline) to the security
Realm, or if this Valve can itself bind security info
to the request based on the presence of a valid SSO entry without
rechecking with the Realm

Returns:

true if it is required that a downstream
Authenticator reauthenticate each request before calls to
HttpServletRequest.setUserPrincipal()
and HttpServletRequest.setAuthType() are made;
false if the Valve can itself make
those calls relying on the presence of a valid SingleSignOn
entry associated with the request.

setRequireReauthentication

public void setRequireReauthentication(boolean required)

Sets whether each request needs to be reauthenticated (by an
Authenticator downstream in the pipeline) to the security
Realm, or if this Valve can itself bind security info
to the request, based on the presence of a valid SSO entry, without
rechecking with the Realm
If this property is false (the default), this
Valve will bind a UserPrincipal and AuthType to the request
if a valid SSO entry is associated with the request. It will not notify
the security Realm of the incoming request.

This property should be set to true if the overall server
configuration requires that the Realm reauthenticate each
request thread. An example of such a configuration would be one where
the Realm implementation provides security for both a
web tier and an associated EJB tier, and needs to set security
credentials on each request thread in order to support EJB access.

If this property is set to true, this Valve will set flags
on the request notifying the downstream Authenticator that the request
is associated with an SSO session. The Authenticator will then call its
reauthenticateFromSSO
method to attempt to reauthenticate the request to the
Realm, using any credentials that were cached with this
Valve.

The default value of this property is false, in order
to maintain backward compatibility with previous versions of Tomcat.

Parameters:

required - true if it is required that a downstream
Authenticator reauthenticate each request before calls
to HttpServletRequest.setUserPrincipal()
and HttpServletRequest.setAuthType() are
made; false if the Valve can
itself make those calls relying on the presence of a
valid SingleSignOn entry associated with the request.

update

Updates any SingleSignOnEntry found under key
ssoId with the given authentication data.

The purpose of this method is to allow an SSO entry that was
established without a username/password combination (i.e. established
following DIGEST or CLIENT_CERT authentication) to be updated with
a username and password if one becomes available through a subsequent
BASIC or FORM authentication. The SSO entry will then be usable for
reauthentication.

NOTE: Only updates the SSO entry if a call to
SingleSignOnEntry.getCanReauthenticate() returns
false; otherwise, it is assumed that the SSO entry already
has sufficient information to allow reauthentication and that no update
is needed.

Parameters:

ssoId - identifier of Single sign to be updated

principal - the Principal returned by the latest
call to Realm.authenticate.

authType - the type of authenticator used (BASIC, CLIENT_CERT,
DIGEST or FORM)